Hackers use FAFSA application to steal tax info

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

Hackers accessed the data of up to 100,000 people through a tool that helps students get financial aid.

IRS Commissioner John Koskinen testified before the Senate Finance Committee Thursday that a breach had been discovered in the fall. In September, he said, his agency discovered that fraudsters could use someone’s personal data to fill out a financial aid application, and the “Data Retrieval Tool” would populate the application with tax information.

That information could be used to file false tax returns. The commissioner said fewer than 8,000 of these returns were processed, and refunds were issued totaling $30 million.

The tool is part of the Free Application for Federal Student Aid (FAFSA) system, which is used to determine how much financial aid students receive for college.

In October, the IRS told the Department of Education that the system could be abused by criminals, but because up to 15 million people use the system for convenience, they kept it available. However, in February, the agency witnessed a pattern of fraudulent activity, and it shut down the automated tool in March.

The IRS flagged 100,000 accounts of people who started the application, used the Data Retrieval Tool, but then didn’t finish it. The IRS is alerting those people, as they may have had their information compromised, but Koskinen said some of those applications are likely authentic.

Tax season is a boon for hackers who want to take advantage of taxpayers’ data. Sometimes people impersonate the IRS to try and get information out of targets, either through phone scams or email tricks called phishing.

According to the IRS, the 2016 tax season saw a 400% increase in phishing and malware. Earlier this year, the agency reported that cybercriminals were trying to steal W-2 information in what Koskinen called “one of the most dangerous email phishing scams,” the agency had recently seen.

The FAFSA tool remains offline, and Koskinen told lawmakers the IRS is developing software to mask the personal tax data to prevent further theft, but it won’t be implemented until October. Students and parents can still use an online application system, but must manually enter their tax information.